Feauture request: show outgoing traffic filtered out by the AFWall app.

[ioctl-user]

I have the following situation: My phone is rooted, AFWall+ app is installed, and a lot of apps has disabled network connection. Sometimes mobile phone status bar shows heavy outgoing traffic, but PCAPdroid doesn't catch it. My router WEB-interface also doesn't shows it. So, I think that the phone status bar shows traffic before AFWall iptables, while PCAPdroid shows traffic after iptables.

I would like to see which app has outgoing traffic without disabling AFWall. So, it would be nice to have such a possibility in a PCAPdroid, if possible.

[anpic]

My router WEB-interface also doesn't shows it.

Install OpenWrt or DD-WRT on the router

Sometimes mobile phone status bar shows heavy outgoing traffic

It doesn't mean anything. It's necessary to conduct a specific traffic analysis on the external gateway. For example, on a router.

I would like to see which app has outgoing traffic without disabling AFWall. So, it would be nice to have such a possibility in a PCAPdroid, if possible.

PCAPdroid already has a root monitor

[anpic]

So, I think that the phone status bar shows traffic before AFWall iptables, while PCAPdroid shows traffic after iptables.

Most likely it's. This means that the traffic is successfully blocked. And the issue to add a firewall in root mode has been around for a long time https://github.com/emanuele-f/PCAPdroid/issues/203

[emanuele-f]

Sometimes mobile phone status bar shows heavy outgoing traffic, but PCAPdroid doesn't catch it

If the traffic is blocked early, PCAPdroid in non-root mode won't see it. To see it, you just need to run PCAPdroid with the root capture enabled

[anpic]

To see it, you just need to run PCAPdroid with the root capture enabled

It won't show anyway. If AFWall blocks earlier.

[ioctl-user]

Router web interface doesn't show traffic because there is no traffic via router :)

PCAPdroid works in the root mode in my case.

[ioctl-user]

Could you please note, why this request was closed?

[emanuele-f]

You said root capture in PCAPdroid worked for your need, right? Is there anything else you want to discuss?

[ioctl-user]

Just reread my messages and seems it need clarification. Sorry for misunderstanding.

So, phone is rooted and root capture of PCAPdroid is turned on. AFwall is also turned on.

PCAPdroid doesn't capture packets killed by AFwall. Because, it seems, AFwall kills outgoing packets before they were captured by PCAPdroid.

This seems to be a problem.

[anpic]

Could you please note, why this request was closed?

In fact, the topic could really be continued :) In networklog were several modes of operation there: in front of the firewall and behind the firewall. It has implemented cool statistics, but they don't seem to be needed here ;)

[emanuele-f]

PCAPdroid doesn't capture packets killed by AFwall. Because, it seems, AFwall kills outgoing packets before they were captured by PCAPdroid.

My bad, in root mode PCAPdroid captures the packets via libpcap, just before they reach the network interface (so after the iptables logic is applied).

Here are some ideas which could help, however none of them seems well suited for your use case:

• 385 could provide a partial solution to this, showing them while they are still in progress via /proc/net, although not optimal

• Doing a step back, in theory iptables has counters for packets/bytes matching rules (e.g. iptables -L -v), but I'm not sure that these are enabled in Android. This could be something to evaluate in afwall, to have some kind of rule stats
• Another possibility would be to to use a VPN interface and block traffic on the internet interface. E.g. running two PCAPdroid instances, one in non-root and the other in root mode, listening on the tun interface. This way you could monitor traffic before it's being blocked, but you lose the ability to recognize the source app, as the packets would all be generated by PCAPdroid

Related: #111

[anpic]

E.g. running two PCAPdroid instances, one in non-root and the other in root mode

The problem with this variant may also be that the only one VpnService may be needed for the external VPN connection itself. Of course, there is a variant with work profiles, but this requires additional actions and skills.

• Doing a step back, in theory iptables has counters for packets/bytes matching rules (e.g. iptables -L -v), but I'm not sure that these are enabled in Android. This could be something to evaluate in afwall, to have some kind of rule stats

This is a very good variant. For example, through /data/data/dev.ukanth.ufirewall/app_bin/nflog Just not for dumb users at all ;) But then firewalls aren't needed, but can do everything with scripts :)